Splunk Search

Find the keyword from the raw data and matches with splunk

prettysunshinez
Explorer

Hi,

I have lookup file with the columns(fields) Name SubName.
Now I wanted to run a query,which looks for the presence of Name in the raw data and if present,checks the lookup file if it is present in the lookup file and if present take the respective values of SubName,produce the search result with Name SubName and count.
If the value is not present,It should display the Name as New and SubName as Fix.

Kindly help!

Tags (1)
0 Karma

gcusello
Legend

Hi @prettysunshinez.
can I think that Name is an extracted field in your rawdata?
if it's true, you can run something like this:

index=your_index
| dedup name
| lookup my_lookup.csv Name OUTPUT SubName
| sort Name
| fillnul value="fix" SubName
| table Name SubName

Ciao.
Giuseppe

0 Karma

prettysunshinez
Explorer

Hi @gcusello
Thanks for the suggestion.

I think I was not clear in asking 🙂

The actual aim is to find the count of Name present in logs and match their SubName from lookup file.
If the Name is not present,It should be displayed as New.

Name is not an already extracted field and hence I'm writing a regex to extract it.
(It is word present right before the word Error and I have written a regex for it)

Now my search has to check for the presence of Name(specific pattern through regex) in the logs,when found it has too check Whether that name exists in the lookup file and display its SubName from the lookup..If the Name is not present then it has to be displayed as New.

My senior suggested me the below query and it doesn't seem to help.

index=your_index
 | rename _raw as rawText
 | eval pattern=[ 
     | inputlookup mylookup.csv
     | stats values(Name) AS query
     | eval query=mvjoin(query,",")
     | fields query
     | format "" "" "" "" "" ""
     ]
 | eval pattern=split(pattern,",")
 | mvexpand pattern
 | eval pattern="%".pattern."%"
 | eval check=if(like(rawText,pattern),pattern,"No")
 | rex field=pattern "\%(?<pattern>[^\%]*)\%"
 | lookup mylookup.csv Name AS pattern OUTPUT SubName
 | fillnull value="New" Name
 | stats count by Name

This doesnt seem to help.
Could you kindly share your thoughts/suggestions on this pls.

Thanks in advance!

0 Karma

prettysunshinez
Explorer

Hi,

Could you provide your suggestions pls.

0 Karma

gcusello
Legend

Hi @prettysunshinez.
as I said, if you reach to extract the Name field, my search is the solution to your question:

 index=your_index
 | rex "your regex"
 | dedup Name
 | lookup my_lookup.csv Name OUTPUT SubName
 | sort Name
 | fillnul value="New" SubName
 | table Name SubName

If you share an example of your logs, I can help you in regexing.

If instead you cannot reach to extract the name field and you have to search the names from lookup in your search as a text string, you have to use the search that your senior suggested that's correct (it's one of my old answers!).

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...